[German]Last year, hackers from Shadow Brokers made various NSA tools public. Exploits such as EternalBlue were used in Ransomware attacks such as WannaCry, NotPetya and Bad Rabbit. A security researcher has now taken a closer look at other exploits and has been able to modify them so that they can run on all versions of Windows.
Advertising
In addition to the EternalBlue exploits, other exploits have been released. Here's the list:
EternalBlue: Adressiert in MS17-010
EmeraldThread: Adressiert in MS10-061
EternalChampion; Adressiert in CVE-2017-0146 & CVE-2017-0147
ErraticGopher: vor der Freigabe von Windows Vista adressiert
EsikmoRoll: Adressiert in MS14-068
EternalRomance: Adressiert in MS17-010
EducatedScholar: Adressiert in MS09-050
EternalSynergy: Adressiert in MS17-010
EclipsedWing: Adressiert in MS08-067
These exploits take advantage of vulnerabilities in Windows, but only worked for certain versions. Now, RiskSense security researcher Sean Dillon (@zerosum0x0x0x0) has modified the source code for some of these lesser-known exploits to work on a variety of Windows operating systems and run system-level code.
The researcher has recently integrated these modified versions of EternalChampion, EternalRomance and EternalSynergy into the Metasploit Framework, an open source penetration testing project on GitHub. He posted this message on Twitter.
MS17-010 #EternalSynergy #EternalRomance #EternalChampion exploit and auxiliary modules for @Metasploit. Support for Windows 2000 through 2016. I basically bolted MSF psexec onto @sleepya_ zzz_exploit. https://t.co/UnGA1u4gWe pic.twitter.com/Y9SMFJguH1
— zǝɹosum0x0 (@zerosum0x0) 29. Januar 2018
Advertising
The modified exploits can exploit the following vulnerabilities:
CVE | Vulnerability | NSA Exploit |
CVE-2017-0143 | Type confusion between WriteAndX and Transaction requests | EternalRomance EternalSynergy |
CVE-2017-0146 | Race condition with Transaction requests | EternalChampion EternalSynergy |
These exploits should now work on all unpatched Windows versions from the following list.
- Windows 2000 SP0 x86
- Windows 2000 Professional SP4 x86
- Windows 2000 Advanced Server SP4 x86
- Windows XP SP0 x86
- Windows XP SP1 x86
- Windows XP SP2 x86
- Windows XP SP3 x86
- Windows XP SP2 x64
- Windows Server 2003 SP0 x86
- Windows Server 2003 SP1 x86
- Windows Server 2003 Enterprise SP 2 x86
- Windows Server 2003 SP1 x64
- Windows Server 2003 R2 SP1 x86
- Windows Server 2003 R2 SP2 x86
- Windows Vista Home Premium x86
- Windows Vista x64
- Windows Server 2008 SP1 x86
- Windows Server 2008 x64
- Windows 7 x86
- Windows 7 Ultimate SP1 x86
- Windows 7 Enterprise SP1 x86
- Windows 7 SP0 x64
- Windows 7 SP1 x64
- Windows Server 2008 R2 x64
- Windows Server 2008 R2 SP1 x64
- Windows 8 x86
- Windows 8 x64
- Windows Server 2012 x64
- Windows 8.1 Enterprise Evaluation 9600 x86
- Windows 8.1 SP1 x86
- Windows 8.1 x64
- Windows 8.1 SP1 x64
- Windows Server 2012 R2 x86
- Windows Server 2012 R2 Standard 9600 x64
- Windows Server 2012 R2 SP1 x64
- Windows 10 Enterprise 10.10240 x86
- Windows 10 Enterprise 10.10240 x64
- Windows 10 10.10586 x86
- Windows 10 10.10586 x64
- Windows Server 2016 10.10586 x64
- Windows 10 10.0.14393 x86
- Windows 10 Enterprise Evaluation 10.14393 x64
- Windows Server 2016 Data Center 10.14393 x64
Whoever is responsible for the administration of systems should make sure that they are up-to-date. More details can be found in the above GitHub-Post or at Bleeping Computer.
Advertising
Is it possible that you submit a exploit for Windows Server 2019?
Here it is: !!1elf